CVE-2026-45321 PUBLISHED

Malware in 42 @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys

Assigner: GitHub_M
Reserved: 11.05.2026 Published: 12.05.2026 Updated: 12.05.2026

On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself was not modified. The attacker chained three known vulnerability classes — a pull_request_target "Pwn Request" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process — to publish credential-stealing malware under a trusted identity. Each affected package received exactly two malicious versions, published a few minutes apart.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CVSS Score: 9.6

Product Status

Vendor @tanstack
Product arktype-adapter
Versions
  • Version 1.166.12 is affected
  • Version 1.166.15 is affected
Vendor @tanstack
Product eslint-plugin-router
Versions
  • Version 1.161.9 is affected
  • Version 1.161.12 is affected
Vendor @tanstack
Product eslint-plugin-start
Versions
  • Version 0.0.4 is affected
  • Version 0.0.7 is affected
Vendor @tanstack
Product history
Versions
  • Version 1.161.9 is affected
  • Version 1.161.12 is affected
Vendor @tanstack
Product nitro-v2-vite-plugin
Versions
  • Version 1.154.12 is affected
  • Version 1.154.15 is affected
Vendor @tanstack
Product react-router
Versions
  • Version 1.169.5 is affected
  • Version 1.169.8 is affected
Vendor @tanstack
Product react-router-devtools
Versions
  • Version 1.166.16 is affected
  • Version 1.166.19 is affected
Vendor @tanstack
Product react-router-ssr-query
Versions
  • Version 1.166.15 is affected
  • Version 1.166.18 is affected
Vendor @tanstack
Product react-start
Versions
  • Version 1.167.68 is affected
  • Version 1.167.71 is affected
Vendor @tanstack
Product react-start-client
Versions
  • Version 1.166.51 is affected
  • Version 1.166.54 is affected
Vendor @tanstack
Product react-start-rsc
Versions
  • Version 0.0.47 is affected
  • Version 0.0.50 is affected
Vendor @tanstack
Product react-start-server
Versions
  • Version 1.166.55 is affected
  • Version 1.166.58 is affected
Vendor @tanstack
Product router-cli
Versions
  • Version 1.166.46 is affected
  • Version 1.166.49 is affected
Vendor @tanstack
Product router-core
Versions
  • Version 1.169.5 is affected
  • Version 1.169.8 is affected
Vendor @tanstack
Product router-devtools
Versions
  • Version 1.166.16 is affected
  • Version 1.166.19 is affected
Vendor @tanstack
Product router-devtools-core
Versions
  • Version 1.167.6 is affected
  • Version 1.167.9 is affected
Vendor @tanstack
Product router-generator
Versions
  • Version 1.166.45 is affected
  • Version 1.166.48 is affected
Vendor @tanstack
Product router-plugin
Versions
  • Version 1.167.38 is affected
  • Version 1.167.41 is affected
Vendor @tanstack
Product router-ssr-query-core
Versions
  • Version 1.168.3 is affected
  • Version 1.168.6 is affected
Vendor @tanstack
Product router-utils
Versions
  • Version 1.161.11 is affected
  • Version 1.161.14 is affected
Vendor @tanstack
Product outer-vite-plugin
Versions
  • Version 1.166.53 is affected
  • Version 1.166.56 is affected
Vendor @tanstack
Product solid-router
Versions
  • Version 1.169.5 is affected
  • Version 1.169.8 is affected
Vendor @tanstack
Product solid-router-devtools
Versions
  • Version 1.166.16 is affected
  • Version 1.166.19 is affected
Vendor @tanstack
Product solid-router-ssr-query
Versions
  • Version 1.166.15 is affected
  • Version 1.166.18 is affected
Vendor @tanstack
Product solid-start
Versions
  • Version 1.167.65 is affected
  • Version 1.167.68 is affected
Vendor @tanstack
Product solid-start-client
Versions
  • Version 1.166.50 is affected
  • Version 1.166.53 is affected
Vendor @tanstack
Product solid-start-server
Versions
  • Version 1.166.54 is affected
  • Version 1.166.57 is affected
Vendor @tanstack
Product start-client-core
Versions
  • Version 1.168.5 is affected
  • Version 1.168.8 is affected
Vendor @tanstack
Product start-fn-stubs
Versions
  • Version 1.161.9 is affected
  • Version 1.161.12 is affected
Vendor @tanstack
Product start-plugin-core
Versions
  • Version 1.169.23 is affected
  • Version 1.169.26 is affected
Vendor @tanstack
Product start-server-core
Versions
  • Version 1.167.33 is affected
  • Version 1.167.36 is affected
Vendor @tanstack
Product start-static-server-functions
Versions
  • Version 1.166.44 is affected
  • Version 1.166.47 is affected
Vendor @tanstack
Product start-storage-context
Versions
  • Version 1.166.38 is affected
  • Version 1.166.41 is affected
Vendor @tanstack
Product valibot-adapter
Versions
  • Version 1.166.12 is affected
  • Version 1.166.15 is affected
Vendor @tanstack
Product virtual-file-routes
Versions
  • Version 1.161.10 is affected
  • Version 1.161.13 is affected
Vendor @tanstack
Product vue-router
Versions
  • Version 1.169.5 is affected
  • Version 1.169.8 is affected
Vendor @tanstack
Product vue-router-devtools
Versions
  • Version 1.166.16 is affected
  • Version 1.166.19 is affected
Vendor @tanstack
Product vue-router-ssr-query
Versions
  • Version 1.166.15 is affected
  • Version 1.166.18 is affected
Vendor @tanstack
Product vue-start
Versions
  • Version 1.167.61 is affected
  • Version 1.167.64 is affected
Vendor @tanstack
Product vue-start-client
Versions
  • Version 1.166.46 is affected
  • Version 1.166.49 is affected
Vendor @tanstack
Product vue-start-server
Versions
  • Version 1.166.50 is affected
  • Version 1.166.53 is affected
Vendor @tanstack
Product zod-adapter
Versions
  • Version 1.166.12 is affected
  • Version 1.166.15 is affected

References

Problem Types

  • CWE-506: Embedded Malicious Code CWE